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SAGAs calculi (or simply SAGAs) have been proposed by Bruni et al. as a model for long-running 
transactions. The approach therein can be considered static, while a dynamic approach has been 
proposed by Lanese and Zavattaro. In this paper we first extend both static SAGAs (in the centralized 
interruption policy) and dynamic SAGAs to deal with nesting, then we compare the two approaches. 

1 Introduction 

Computing systems are becoming more and more complex, composed by a huge number of components 
interacting in different ways. Also, interactions are frequently loosely-coupled, in the sense that each 
component has scarce information on its communication partners, which may be unreliable (e.g., they 
may disconnect, or may not follow the expected protocol). Communication may be unreliable too, for 
instance in the case of wireless networks. Nevertheless, applications are expected to provide reliable 
services to their users. For these reasons, a main concern is the management of unexpected events. 

In the case of loosely-coupled distributed systems (e.g., for web services), unexpected events are 
managed according to the long-running transaction approach. A long-running transaction is a computa- 
tion that either commits (i.e., succeeds), or it aborts and is compensated. Compensating a (long-running) 
transaction means executing a sequence of actions that revert the effect of the actions that lead to abor- 
tion, so as to reach a consistent state. This is a relaxation of the properties of ACID transactions from 
database theory lfl2l . based on the fact that in the systems we are interested in rollback cannot always be 
perfect (e.g., one can not undo the sending of an e-mail, and if one tries to undo an airplane reservation, 
(s)he may have to pay some penalty). 

Recently, many proposals of formal models to reason about properties of long-running transactions, 
and about systems exploiting them, have been put forward. We concentrate on process calculi, since they 
are a good tool to experiment with different primitives and compare their relative merits and drawbacks. 
Later on, the results of these experiments can drive the design of real languages. Process calculi ap- 
proaches to long -running transactions divide in two main categories: interaction-based calculi and flow 
composition approaches. Interaction-based calculi are obtained by extending name passing calculi with 
dedicated primitives, and one of their main concerns is the interplay between communication and trans- 
actions. We recall among them the 7rt-calculus U, c-join JH, web7T fi"5l . dc7T lfl8l . the ATc calculus JH 
and SOCK ifTTTl . Flow composition approaches instead deal with the composition of atomic activities, 
studying how to derive compensations for complex activities from compensations of basic ones. We re- 
call for instance SAGAs flU, StAC H, cCSP Q and the SAGAs calculi |6]. Some of the primitives for 
long-running transactions have been introduced in real languages such as WS-BPEL [ 17] and lolie lfl6l . 
Long-running transactions have also been analyzed in a choreographic setting in [9]. However, only a 
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few works (3] [T4j |T3l until now have tried to clarify the relationships between the different approaches. 
We want to go forward in the understanding of those relationships. 

As shown in [13), a main distinction to be done is between static compensations, where essentially 
the order of execution of compensations depends on the syntactic structure of the program, and dynamic 
compensations, where it depends on the order of execution of the activities at runtime and cannot be 
determined statically. The analysis in lPT3l has been carried on in the case of interaction-based calculi. 
However compensations are also heavily studied in the framework of flow composition languages. The 
only dynamic approach to compensations in the framework of flow composition languages we are aware 
of is the one of dynamic SAGAs lfl4ll . There however only non-nested SAGAs have been defined, and 
they have been contrasted with the dynamic interaction-based calculus SOCK ifTTl . but not with the 
classic static SAGAs calculi [6]. Here we want to carry on this last comparison. More precisely, since 
different flavors of static SAGAs calculi exist, we contrast them with the centralized interruption policy 
defined in [3]. Here "interruption" means that, if there are many concurrent flows of computation and one 
of them aborts, the other ones are stopped. "Centralized" instead means that the compensation procedure 
of parallel flows of computation is started only after all forward flows have been stopped. We have 
chosen this approach since it is the one that more closely matches the behavior of systems programmed 
in WS-BPEL or Jolie. Actually, also this flavor of SAGAs has been defined only in the non-nested case, 
while we are interested in the nested case too. In fact, nested SAGAs are fundamental to model complex 
flows of activities. Thus the contributions of this paper are: 

• a description of the semantics of nested SAGAs, both under the static centralized interruption 
approach (Section© and the dynamic approach (Section©; both the extensions are non trivial, as 
we will show when we present their semantics; 

• a comparison between the two semantics (Section 0]), showing that the computations allowed by 
the dynamic semantics are a strict subset of the ones allowed by the static semantics, and this is 
due to the fact that the dynamic semantics is more strict on the possible orders of execution of 
compensations of parallel activities; this comparison has also been used as a sanity check for the 
formalization of the two semantics. 

2 Static SAGAs 

SAGAs calculi |6] (SAGAs from now on) are calculi for defining compensating processes. A process 
is composed of activities, ranged over by A, B, ... , and each activity may have its own compensating 
activity. Processes form long-running transactions, called sagas in this context. A saga either commits 
(i.e., succeeds), or it aborts and is compensated. Abortion of the compensation causes a. failure, which is 
recognized as a catastrophic event and terminates the whole process. We are interested in nested sagas, 
thus sagas are processes too. 

Definition 1 (Sagas). Saga processes are defined by the following grammar: 
P::=0\A | A-=-fi \ P;P \ P\P \ {[P]} 

Processes can be the empty activity 0, an activity A without a specified compensation, or an activity 
A-h-B specifying B as compensation for A. Processes can be composed in sequence (P;P) or in parallel 
(P\P ). Sagas can be nested, thus a saga {[P]} is a process too. In the following we will disregard activities 
A, since they can be considered as a particular instance of compensable activities A B where B = 0. 

The idea underlying the static SAGA semantics is that compensations of sequential activities are ex- 
ecuted in reverse order, while compensations of parallel activities are executed in parallel. In particular, 
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(ZERO) (S-ACT) 

rh (0,15) \ (H,/3) A^0,rh(AvB^) A, (H,S;/3) 

(S-STEP) 

(F " ACT) n r\-ip,p)\{B,p") r\-(Q,p")^ s in,p') 
A^E,r\-{A+B,p)X{®,p) — v Fl v - 1 — v H/ 

rh(P;Q,p)™U s {n,p>) 

(A-STEP) 

r\-(p,p)\{n,p') 0£n 

r\-(P;Q,P)\{D,P') 

(S-PAR) 

n-(p,o)-?\ (□!,&) rh(<2,o)^, v (D 2 ,fe) □ 1 ,D 2 e{H,^i,M} 
n-(p|fi,/5)-^,(n 1 An 2 ,(ft|/5 2 );/5) 

(F-PAR) 

rh(p,o)-% f <Di,j3i) rh(6,o)^>,(D 2 ,fe) D 2 e{ii,M,ffl} 
n-<p|j2,/5)-^,<n 1 AD 2 ,o> 

(FORCED- ABT) (FORCED-FAIL) 

rh{p,p)\(m,p) rh(p,p)\(@,o) 

(SUB-CMT) (SUB-ABT) 

r\-{p,o)\{B,p') r\-(p,o)\{®,p f ) rh(/3',o)^( H ,o) 



rh <{[P]},/3) A s . (B,P';P) Fh ({[P]},/3) ^ s (□,/*) 

(SUB-FAIL- 1) (SUB-FAIL-2) 

rh(p,o) A s (n,o) □ e{n,H,ffi} n-(p,o) \{®,p') rh (/3',o) <ia,o) 



rh ({[p]},/3) A, (□,o> rh <{[/>]},/3) ^ < ffl ,o> 

(SUB-FORCED- 1) 

rh(p,o) \{®,p') rh(/3',o)^(s,o) 



rhmp]},^)^^^} 



(SUB-FORCED-2) 

rh (fig) A, v g^) rh (j8 / ,o) (Di,o) n 2 = { 



P'\ /n. n\ n f Bl if Di = □ 



rh({[P]},/3)^>,(D 2 ,0) 



ffl ifDiG{K,[l} 



Table 1: Static semantics of nested SAGAs. 
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the possible orders of execution for compensation activities can be determined statically, looking at the 
structure of the process. However, as shown by 0, different design choices concerning the behavior of 
parallel activities are possible. As already said, we consider the semantics with interruption of parallel 
activities and centralized compensations proposed in [3 ]. According to this semantics parallel activities 
are stopped when one of them aborts, while in the semantics without interruption they are run to the 
end (and then compensated). Also, compensations are handled in a centralized way (but for subtransac- 
tions), while in the semantics with distributed compensations each flow is responsible for executing its 
own compensations. The semantics presented in [3] however does not consider nested sagas, while we 
consider them important both from a theoretical and a practical point of view. From a practical point of 
view, nesting is fundamental to model large systems in a compositional way. From a theoretical point 
of view nesting raises interesting questions on the interplay between the behavior of a saga and of its 
subsagas. For this reason we extend the semantics to deal with nested SAGAs, taking inspiration from 
the one in |6j, which has however distributed compensations. 

Definition 2 (Static semantics of SAGAs). The static semantics — > s of SAGAs is the LTS defined in 
Table Q] (we assume symmetric rules for parallel composition). 

A saga may commit, abort or fail, denoted respectively by H, M and a. Also, a saga may acknowl- 
edge an external abortion or failure, and these two possibilities are denoted by M and EE respectively. 
Finally, a saga may answer an external abortion with a failure (when an external abort causes it to com- 
pensate a subsaga, and the compensation fails), denoted as EEL Note that this situation never occurs 
without nesting. In fact, under the centralized compensation approach, only subsagas are compensated 
locally, while other processes are compensated at the top level. 

The behavior of a saga is determined by the behavior of its constituent activities, which is specified 
by an environment T mapping each activity to either □ or M. The semantics of SAGAs is given as a 
relation T h (P,f5) —$- s (0,j3'}, defined in the big-step style. Here label a is the observation, showing 
the successfully executed activities. Observations are obtained by combining activities in sequence and 
in parallel. If one considers an interleaving setting, label A\B can be considered as a shortcut for the 
two possible sequences, A,B and B,A. We consider observations up to the following axioms: 0;a = a, 
a;0 = a, 0\a = a, a\0 = a. Also, /3 is the compensation stored for execution at the beginning of 
the computation and /3' the final stored compensation. Finally, □ ranges over {H,K1,I1,IE1,M, EB}, the 
possible outcomes of the saga. 

The first three rules execute the empty activity and basic activities. Note that rule (F-ACT) does not 
execute the compensation (differently from the rules for distributed compensations in the literature), since 
this will be executed in a centralized way (see rule (SUB-ABT)). Rule (S-STEP) deals with sequential 
composition when the first part of the computation succeeds. Rule (A- STEP) deals with all the other 
cases. Rules (S-PAR) and (F-PAR) concern parallel composition. The operator A in these rules is the 
symmetric closure of the one defined in the table below: 

a ^ i i i ffl 



□ □ 




The two rules differ since in the first case the compensation is stored, in the second one it is discarded 
(since a failure is involved). Rules (FORCED-ABT) and (FORCED-FAIL) show that a process can be 
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stopped either by an external abort or by an external failure. In the second case the compensation is 
discarded. Rule (SUB-CMT) allows a saga to commit upon commit of its internal computation. Rule 
(SUB-ABT) instead allows a saga to commit upon abort of the internal computation and successful com- 
pensation. Rule (SUB-FAIL- 1) propagates to a saga a catastrophic outcome of its internal computation. 
Rule (SUB-FAIL-2) establishes failure for an aborted saga whose compensation aborts too. Rule (SUB- 
FORCED-1) allows an external failure to interrupt a compensating saga. Finally, rule (SUB-FORCED-2) 
deals with external requests of abortion for sagas. The saga is interrupted and compensated. If the com- 
pensation is not successful then a failure is propagated to the outer level. Note that it is not possible 
to make a saga abort while it is executing its own compensation: the execution of a compensation is 
protected from further aborts. Compensations of sagas are executed locally, in parallel with the normal 
flow of external activities, and before starting the compensations of external sagas containing them. 
We show now a few derivable transitions to clarify the semantics. 

Example 1. Consider a ship for transporting goods. Assume that two different kinds of goods, A and 
B, have to be loaded, and the order is not relevant. Also, A is not necessary, while B is. After loading 
the ship can leave. This can be modeled using a SAGA process P = ({[load A 4 unload A]}\loadB 4 
unloadB);leave. Assume that all the activities but leave succeed. We can derive as a big-step: 

. ;„«v loadAUoadB , ,,. , 

rh (P,0) > s (M,unloadA\unloadB) 

thus the process has aborted. If we put the whole process inside a saga then compensation is actually 
executed and the saga succeeds: 

. /rr Dl -, A i (loadA\loadB);(unloadA\unloadB) , . 

Assume now that all the activities but loadB and unloadA succeed. If the failure of loadB occurs 
before the execution of loadA then we have the transition: 

ri-<p,o>\<H,o) 

derived using rule (S-PAR) where the left component performs Kl (derived using rule (SUB-FORCED-2) 
with left premise T h (loadA -\r unload A, 0) —} s (E,0)) and the right one performs M. 

If the failure of loadB occurs after the execution of load A we have instead the transition: 

rh(p,o)^ s (i,o) 

derived using rule (S-PAR) where the left component performs EE (derived using rule (SUB-FORCED-2) 
with left premise T h (loadA 4- unloadA, 0) loadA ) s unloadA)) and the right one performs M. 

Having Kl or ffl instead of EE (which is novel of this semantics) would not faithfully model the intu- 
ition. In fact, in the first case the result of the transition would be EE instead of B, while in the second 
case the transition would not be derivable at all, since IE Ala is undefined (otherwise an abort could make 
a transaction fail, even if compensations were successful). 

Example 2. We consider here a modification of the example above, so to clarify another aspect of the 
semantics. We consider a SAGA process P' = {[loadAl 4 unload A\;loadA2 4 unload A2]}\(loadBl 4 
unloadB\\loadB2 ^runloadBl), where each load activity has been split in two subactivities. Assume 
that activity loadB! aborts, while all the other activities succeed. On the right-hand side we have a 
transition: 

r h (loadBl -^unloadB\;loadB2-^unloadB2,0) > s (M,unloadBl) 

This interacts with a left transition of the form: 

rh {{[loadA 14- unloadAVJoa dA2 4- unloadA2]} ,0) loadM > unloadA \ s ( 0) gj) 

Thus the label of the whole transition is (loadAl; unload A\)\loadB\. In particular, the compensation of 
the left branch, unloadAl, can be executed before loadBl, i.e. before the fault actually happens. This can 
be justified by considering an asynchronous scenario, where the observer receives events from different 
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parallel processes out-of-order. The same problem occurs with the distributed semantics (3j , and is due to 
the fact that sagas are compensated locally. We will see that the dynamic semantics solves this problem. 
An approach for solving the problem also in the static scenario can be found in H. 

3 Dynamic SAGAs 

Dynamic SAGAs have been proposed in lfl4ll . in the non-nested case, to reduce the degree of nonde- 
terminism in saga execution. In static SAGAs, in fact, the compensation of A\%B\\A2%B2 is B\\Bi. 
Thus both the orders B\,B2 and B2,B\ are allowed, independently of the order in which activities A\ 
and A2 have been executed. Dynamic SAGAs specify instead that compensations of parallel activities 
are executed in reverse order: if the execution of normal activities has been A\,A2 then the execution 
of compensations is B2,B\. Thus the order of execution of compensations depends on runtime infor- 
mation on the execution of the basic activities. While the semantics of static SAGAs is normally given 
in the big-step style, the semantics of dynamic SAGAs is given in the small-step one. A more detailed 
motivation for this will be given in the next section. 

Static and dynamic SAGAs have the same syntax, differing only in the semantics. However, to define 
the semantics of dynamic SAGAs, we find it convenient to exploit an extended syntax: 



Here {[P, /3]} is a running saga, where P is the body and /3 a stored compensation (syntactically, a 
process obtained as sequential composition of basic activities). From now on, {[P]} stands for {[P,0]}. 
Also, [P]|q and [PJh are executing compensations. Notation [P]n ranges over both of them. Compensa- 
tions should be executed in a protected way since we do not want further abortions to stop them. Similar 
solutions are exploited for instance in SOCK [[T0, WS-BPEL [17] and others. The difference between 
[PJh and [P]ig is that [P] has been triggered by the transition itself and commits if P commits, while 
|P] h has been activated by an external abort, thus it has to re-raise the abort if P commits. 

We need to extract the protected compensations from a process (to actually protect them, cfr. rule 
(A-PAR-D)), and we will use to this end the function extr(») defined below. Similar functions are used, 
e.g., in SOCK Oj] and dc7T lTT8l . 



P:: = ... 



{[P,P]} I Mm I iPfa 



exfr(O) = 
extr(A-i-B) = 



extr{P; Q) = extr(P) 
extr{P\Q) = extr(P)\extr(Q) 
extr({[P,fi]}) = extr(P)-p 



extr{\P\ u ) = P 



Finally, we assume a predicate null(P), which holds if P has no behavior: 



null(0) 



true 



null(P;Q) 
null(P\Q) 

null{{[PM) 
nuliqPlu) 
null(lP\ u ) 



null(P) 

false otherwise 



null (P) A null (Q) 
null (P) A null (Q) 
null(P) 
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The dynamic semantics of SAGAs that we present extends the one in Ifl4l to deal with nested sagas. 
The extension is non trivial: for instance for the non-nested case neither the function extr{m) nor the 
auxiliary runtime syntax were needed. 

Definition 3 (Dynamic semantics of SAGAs). The dynamic semantics — ^ of SAGAs is the LTS defined 
in Table|2](we assume symmetric rules for parallel composition). 

Basic steps are as for the standard semantics. Rules for composition operators allow deriving both 
intermediate steps T h (P,/3) ^ d (P',/3') and final steps T h (P,/3) (n,/3') (here □ ranges over 
{□, Kl, El} and a is an activity name). Also f is a possible label, denoting an abortion which is delayed 
to wait for termination of running compensation activities. Rules (STEP-D), (k-STEP-d), (S-STEP-d), 
(A-STEP-d) and (F-STEP-D) deal with the possible evolutions of sequential composition. Rules (PAR-D), 
(S-PAR-D) and (F-PAR-D) concern normal computation, commit and failure of one branch of parallel 
composition, respectively. Rule (A-PAR-D) deals with abortion of one branch. If the other branch in- 
cludes some running compensations, then abortion is delayed and compensation execution is completed 
first. Running compensations are extracted by function extr(P) and thus preserved, while other par- 
allel activities are discarded. Delayed abortion is propagated using label f . Label f is propagated by 
rule (k-par-d), extracting running compensations from parallel processes. When all the compensations 
have been completed (rule (A-PAR-FIN-D)) abortion is raised again. Rules (SAGA-D), (S-SAGA-D) and 
(F-SAGA-D) deal with normal computation, commit and failure of the internal computation in a saga, 
respectively. Rule (K-SAGA-D) stops the propagation of label f . Rule (A-SAGA-D) deals with abortion 
of the internal computation of a saga: the stored compensation is executed in a protected way. The be- 
havior of protection (of the two kinds) is defined by rules (PROT-D) for normal steps, rule (K-PROT-D) for 
delayed abortion (actually, this can happen only for JPj^) and rule (A-PROT-D) for abortion (producing a 
failure). The two kinds of protection differ in case of commit of the internal computation: commits 
(rule (S-PROT-D)) while \P\m aborts (rule (S-KILLED-D)), re-raising the delayed abortion. 

We show a few computations as examples. 
Example 3. Let us consider the saga process defined in Example Q] Remember that P = ({[load A 4- 
unloadA]}\loadB 4- unloadB);leave. Assume that all the activities but leave succeed. We can derive, 
e.g., the following computation: 

((loadB -j- unloadB); leave, unloadA) 
(leave, unloadB; unloadA) 
(M,unloadB;unloadA) 

thus the process has aborted. If we put the whole process inside a saga then compensation is actually 
executed and the saga succeeds: 



rh(p,o) -^r d 

loadB 
>d 



-+d 



rh({[P]},0) loadA ^ d loadB^ ({[leave, unloadB; unloadA]}, 0) 

(lunloadB;unloadAj B ,0) 

unloadB^ ^ junloadAj □ , 0) 

unloadA , 

>d (H,0) 

We consider here another possible computation, so to clarify one of the most tricky cases of the dy- 
namic semantics. Assume that instead of activity loadA with compensation unloadA we have a sequen- 
tial composition of two activities, loadA 1 with compensation unloadA 1 and loadAl with compensation 
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(ZERO-D) 

rh(0,/3)A rf (E,/3> 

(F-ACT-D) 

A^E,rh(A-B,/3)\, <B,0) 

(K-STEP-D) 

rh(p/3)4 rf (P,/3') 

rr-(P;g,j3)4 d <P',/3'> 

(A-STEP-D) 

rh(P;e,/3>^ <B,j3'> 

(PAR-D) 

r\-(p,p)^ d (p',p') 
rh(p|e,/3> A rf (p'|e,j3') 

(S-PAR-D) 

n-(p,/3) 

r\-(p\Q,p)* d {Q,p') 

(A-PAR-FIN-D) 

rhjfi^Vg^) extr(Q)=p" » M »Q3") 

r\-(p\Q,p)\qa,p') 

(SAGA-D) 

rh(p,/3)4 rf (p',/3') 
rh({[p,/3]},/3") A d ({[p',P']},P") 

(S-SAGA-D) 

rh(p,j3)A rf (h,/3') 

rH^ffl.n 4, <H,j3';j3"> 

(F-SAGA-D) 

rh(p,j3)4 rf ( ffl ,o) 

rh({[P,/3]},/3") \(ffl,0) 

(K-PROT-D) 

rh(p,/3)4 rf (p',/3') 
rr-([p] s ,/3)4 d ([f"]^,/3') 

(S-KILLED-D) 

n-(p,/3) -Vg^ 
rr-»,j3)A d <h,/3') 



(S-ACT-D) 

A^H,rh(A-B,j3)4 d (H,B;/3) 

(STEP-D) 

r\-{p,p)^ d (Pjy) 

rh(P;e,j3) A rf (P';e,j3') 

(S-STEP-D) 

r\-(p,p)^ d (B,p') 

T\-(P;Q,p) A d (g,j3') 

(F-STEP-D) 

rh(p,/3)\,(ffl,o) 

rh(P;e,j3)^(ffl,0) 

(K-PAR-D) 

rh(p,j3)^ {p>,p>) 

rh(p|e,j3>4 d (p'li^Ke)]^^') 

(A-PAR-D) 

rh (P,j3) 4 d (H,j3') exfr(e)=j3" -mdl{p") 
r\-(P\Q,P)\ d (lP»]n,P') 

(F-PAR-D) 

rh(p,j3)\,( ffl ,o) 
rh(p|e,j8>^( ffl ,o) 

(K-SAGA-D) 

r\-(p,p)l+ d (p>,p') 

rh({[p,p}},p") % {{[p',n,n 

(A-SAGA-D) 

r\-{p,p)% (®,p') 
rh({[P,j3]},j3") ^<[/3'] a ,/3"> 

(PROT-D) 

r\-{p,p) ^ d (pw 

rh([P] D ,j3)4 d ([P'W> 

(S-PROT-D) 

rh(p/3) A d (E,^) 
rh([p] B ,/3)4 d (□,/?') 

(A-PROT-D) 

r\-(p,p)\ (gjjO 
rh(iP] n ,j3)4 d (ffl,o) 



Table 2: Dynamic semantics of nested SAGAs. 
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unloadAl. Assume also that activity loadB aborts, while the other activities succeed. 

rh(P",0) loadAl y ^ (({[loadA2,unloadAl}}\loadB -^unloadB);leave,0) 
-t d {\unloadA\\^,0) 
>d (B,0) 

Here loadB aborts when the parallel saga is still running, thus abortion is postponed. After compensation 
has been performed, the abortion is raised again. 

Example 4. We show now the behavior of the saga in Example |2] when executed under the dynamic 
semantics. 

r h (P 1 ,0} loadA ) d ({[loadA2 -j- unloadA2,unloadAl]}\loadBl 4- unloadB\;loadB2 unloadB2,0) 

Here unloadAl is not enabled, and it becomes enabled only after loadB I is observed and loadB2 is 
executed, triggering the abort: 

r h (P' ,0} loadAl > d ({[loadA2^unloadA2,unloadA\]}\loadBl -^unloadB\;loadB2-^unloadB2,0) 
loadBl y d {{[loadA2 4- unload A2, unloadA 1 ]} | loadB2 unloadB2 , unloadB 1 } 
— ^ (\unloadA\\^,unloadB\) 

unloadA 1 



->d (M,unloadBl) 

4 Static vs Dynamic SAGAs 

In this section we compare the static and dynamic semantics of nested SAGAs. In particular, we show 
that each computation obtained from the dynamic semantics is compatible with a big-step of the static 
semantics. We show also that the static semantics allows for more nondeterminism in the order of 
execution of activities, i.e. it allows for some computations not valid according to the dynamic semantics. 

Labels of a big-step correspond to sets of computations of small-steps (assuming an interleaving 
interpretation for parallel composition). We write =^> with a = a\\ . . . ;a n to denote — ^ • • • -A^. We 
remove from a both and f . However, big-step labels may also include parallel composition operators, 
thus to perform the comparison we have to introduce the concept of linearization. We consider the set of 
linearizations lin(a) of a big-step label a, which is defined by structural induction on a: 

hn(A) = {A} 

lin(a;a') = {y;/| 7 G lin(a) A / e lin(a')} 

lin(a|a') = [J y|||/ 

yelin(«)A/elin(oe') 

where ||| is defined as follows: 

0|1|7 = {7} 

-x III = {7} 

A;y|||A';y = {A\f\ f G 7 1|| A'; /} U {A'; y"| 7" G A;y||| /} 
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In words, ||| computes the set of all possible interleavings of the sequences of actions in its two arguments. 

Summarizing, a big-step label a corresponds to the set of small-step computations with labels in 
lin(a). 

Next lemma discusses the properties of f -labeled transitions. 

Lemma 1. If Y h (P, p ) ==> (P',p') then P' is a parallel composition of terms of the form [P]b. 

We can now prove our main theorems, relating the behavior of static and dynamic semantics for 
SAGAs. We have two theorems, one for each direction. 

Theorem 1. If Th (P,p) =^ (□,/?') with □ G {□,£!, a} then there is a big-step Th (P,j8> A, (□,/?") 
with 7 G lin(a) and /3' G lin(/3"). 

Proof. The proof is by structural induction on P. Actually for the induction we need a stronger hypoth- 
esis, requiring also that: 

• if T h (P,p) (P',P') and T h (extr(P'),0) =U (H,0), then there is a big-step T h (P,j3) 
(M,j8") with /G lin(a), / G lin(a') and p' G lin(jS"); 

• if T h (P,p) =U (P',p') and Y h (extr(P'),0) =U (D,0) with □ G {B, H}, then there is a big-step 
T h (P, j3) ^>,. (ffl,0) with 7 G lin(a) and / G lin(a'); 

• ifT\-{P,P)=U(P , ,p'), then there is a big-step F h (P,j8) A. v (1,0) with 7 G lin(a). 
We have the following cases: 

P = 0: the only non trivial computation is T h (0,j8) ^ d (H,j8). The big-step Y h (0,j8) \ (H,j8) 
derived from rule (ZERO) satisfies the thesis. As far as the empty computation is concerned the 

two big-steps Y h (0, j8> -^> s (M,j3) and Y h (0,j8) -4, (1,0), derived from rules (FORCED- ABT) 
and (FORCED-FAIL) respectively, satisfy the thesis. 

P = A^rB: we have a case analysis according to Y(A). If Y(A) = □ then the only non trivial computation 

is r h (A^rB,p) — >rf (H,S;j8), and we have a corresponding big-step, derived from rule (S-ACT). 
Similarly for the case Y(A) = M, using rule (F-ACT). The empty computations can be matched as 
before. 

P = PuP 2 : assume that there is a computation Y h (Pi;P 2 ,j3) ^> (□,/?') with □ G {□, 13,11 }. We have 
to consider the three cases □ = □,□ = M and □ = H. 

□ = □: let us consider the first part of the computation. The only possibility is to have the first 

zero or more steps derived using as last rule (STEP-D) followed by one step derived us- 
ing as last rule (S-STEP-D). By concatenating the premises we have a computation Y h 

(Pi,P) =^4> (B,P ). By inductive hypothesis we have a big-step T h (Pi,j3) — > s {B,8") 
with Y G lin(a') and p" G lin(5"). Also, using the last part of the computation we have a 

big-step T h (P 2 ,P") -^>, (B,8') with / G lin(a"), P' G lin(5') and 7= y-,f. The thesis 
follows by rule (S-STEP). It is not possible to have the first zero or more steps derived using 
as last rule (STEP-D) followed by one step derived using as last rule (K-STEP-D) since this 
computation can not succeed (see LemmaQ]). 

□ = 1X1: we have a few possibilities here, according to which is the first rule applied different from 

(STEP-D). If it is rule (S-STEP-D) then the thesis follows by inductive hypothesis applying 
rule (S-STEP). If it is rule (A-STEP-D) then the thesis follows by inductive hypothesis apply- 
ing rule (A-STEP). If it is rule (K-STEP-D) then the thesis follows by inductive hypothesis, 
again applying rule (A-STEP). 
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□ = H: similar to the one above. 

As far as computations leading to processes are concerned, a similar reasoning can be done. The 
thesis follows from rule (A-STEP) if the computation is only composed by steps from rule (STEP- 
d). If the computation includes also a step from rule (S-STEP-D) then the thesis follows from rule 
(S-STEP). If the computation includes also a step from rule (K-STEP-D) then the thesis follows 
from rule (A-STEP). 

P = P l \P 2 : assume that there is a computation T h (Pi \Pi,P) =^ with □ G {□, Kl, ffl}. We have 

to consider the three cases □ = □,□ = M and □ = H. 

□ = □: let us consider the first part of the computation. The only possibility is to have the first 

zero or more steps derived using as last rule (PAR-D) followed by one step derived using as 
last rule (S-PAR-D). Assume for simplicity that (S-PAR-D) eliminates the first component of 
the parallel composition. By concatenating the premises of those transitions that concern the 

first component we have a computation T h {Pi,0} ==> (H,j8"). By inductive hypothesis we 

have a big-step F h (P u 0) (□, 8") with / G lin(a') and j8" G lin(<5"). Also, using the 
premises of the transitions involving the second component and the last part of the computa- 
tion we have a big-step V h (/ 5 2 ,j8) -^>, (□, 8"') with f G lin(a") and J8'" G lin(<5'"). Also, 
7 is an interleaving of / and y" and j8' is obtained by prefixing j8 with an interleaving of j8" 
and j8' ;/ . The thesis follows by rule (S-PAR) (since □ A □ = □). It is not possible to have 
the first zero or more steps derived using as last rule (STEP-D) followed by one step derived 
using as last rule (K-STEP-D) since this computation can not succeed (see LemmaQ}- 

□ = IE1: we have a few possibilities here, according to which is the first rule applied different from 

(PAR-D). If it is (S-PAR-D) then the thesis follows by inductive hypothesis applying rule 
(S-PAR) (since □ A M = M). If it is (A-PAR-D) then from the premises concerning P we can 
derive an abortion for P. From Q we can derive a computation leading to Q' and an abortion 
for [ex?r(<2')]][3, i.e. a commit for extr(Q'). Thus we can derive a big-step leading to M for 
Q. The thesis follows from rule (S-PAR) (since M AM = M). The case of rule (K-PAR-D) is 
similar, with the abortion coming after all compensations have been consumed (i.e., when 
rule (A-PAR-FIN-D) is triggered). 

□ = H : we have a few possibilities here, according to which is the first rule applied different from 

(PAR-D). If it is (S-PAR-D) then the thesis follows by inductive hypothesis applying rule 
(F-PAR) (since 0AB = IS). If it is (A-PAR-D) then from the premises concerning P we can 
derive an abortion for P. From Q we can derive a computation leading to Q 1 and a failure for 
\extr (fiOllS' i- e - an abort or a failure for extr(Q'). Thus we can derive a big-step leading to EE 
for Q. The thesis follows from rule (F-PAR) (since E3 A EE = H). The case of rule (K-PAR-D) 
is similar. The case of rule (F-PAR-D) follows from rule (F-PAR), since |A1 = 1. 

As far as computations leading to processes are concerned, a similar reasoning can be done. One 
has to distinguish interrupt from abort and interrupt from failure. In the first case the thesis fol- 
lows by inductive hypothesis applying rule (S-PAR) (with M A M = M) if both the compensations 
succeed. If at least one of the compensations fails then the other one is interrupted by a failure and 
the thesis follows by inductive hypothesis applying rule (F-PAR) (with EE A H = EE). If interruption 
is from a failure, then the thesis follows from rule (F-PAR) (with 1AB = H). 

P = {[Pi]}: assume that there is a computation T h ({[Pi]},j8) (□,/?') with □ G {H,Kl,[l}. We have 
to consider the three cases □ = □,□ = M and □ = S. 
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□ = □: we have two possibilities here. The first one is to have the first zero or more steps derived 

using as last rule (SAGA-D) followed by one step derived using as last rule (S-SAGA-D). 

y 

By concatenating the premises of those transitions we have a computation T h (Pi , 0) =>■ 
(□,/$'). By inductive hypothesis we have a big-step T h (Pi,0) A s (H,5') with 7 G lin(a) 
and j3' G lin(5'). The thesis follows by rule (SUB-CMT). The second case exploits rule 
(SAGA-D) at the beginning (or possibly (K-SAGA-D)), then one transition from rule (A-S AGA- 
D), then some transitions from rule (PROT-D) and finally one transition from rule (S-PROT-D). 
Here by considering the premises of the first part of the computation we have a computation 

rh (P 1; 0) =^> (E,J3"). From the second part we get a computation F h (j3",0) (H,0). 
The thesis follows from the inductive hypothesis by applying rule (SUB-ABT). 

□ = IE1: there is no possibility for a saga computation to lead to an abort, thus this case can never 

happen. 

□ = [1 : we have two possibilities here. The first one is to have the first zero or more steps de- 

rived using as last rule (SAGA-D) (and possibly some (K-SAGA-D)) followed by one step 

derived using as last rule (F-SAGA-D). By concatenating the premises of those transitions 

y 

we have a computation T h (Pi,0) ==> (H,0). By inductive hypothesis we have a big-step 
rh (Pi,0) (H,0) with ye lin(a). The thesis follows by rule (SUB-FAIL-1). The sec- 
ond case exploits rule (SAGA-D) at the beginning, then one transition from rule (A-SAGA-D), 
then some transitions from rule (PROT-D) and finally one transition from rule (A-PROT-D). 
Here by considering the premises of the first part of the computation we have a computation 

r h (Pi,0) ==> (Kl,j8'). From the second part we get a computation F h (j3',0) (M,f5"). 
The thesis follows from the inductive hypothesis by applying rule (SUB-FAIL-2). 

As far as computations leading to processes are concerned, a similar reasoning can be done. If the 
computation is only composed by applications of rules (SAGA-D) or (K-SAGA-D) then the thesis 
follows by inductive hypothesis from rule (SUB-FAIL- 1) or from rule (SUB-FORCED-2). If there 
is an application of rule (A-SAGA-D) then the thesis follows from rule (SUB-FORCED- 1). 

□ 

The following theorem considers the other direction. 

Theorem 2. If T h (P, j3) \ (□,£") with □ G {□, M, @} then there are 7 e lin(a) and J8' G lin()3") 
such thatTh (P,p) =U (n,p') 

Proof. The proof requires a case analysis similar to the one of Theorem [TJ We omit the details. □ 

Example 5. Consider the ship example and its two executions at the beginning of Example Q] (with static 
semantics) and Example [3] (with dynamic semantics). It is easy to see for instance that loadA;loadB € 
\m{loadA\loadB) and unloadB;unloadA G \m{unloadA\unloadB). Thus the dynamic computation is 
compatible with the static big-step, for a suitable choice of the interleaving of parallel activities. 

Notably, it is not possible to prove Theorem|2]by requiring a computation for each possible lineariza- 
tion of a. In fact the chosen linearization depends on the runtime execution of activities. For instance, in 
Example|3]it is not possible to have as observation loadA; loadB and as compensation unloadA; unloadB. 
Also, abortion of nested sagas is managed in a different way, as shown in the example below. 
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Example 6. Consider the saga in Example [2] According to the static semantics it has a big-step with 
label (loadA\;unloadA\)\loadB\. In particular, loadA\;unloadA\;loadB\ is a possible linearization 
of {loadA\;unloadA\)\loadB\. However, as shown in Example 01 there is no dynamic computation 
with this behavior. There is however a dynamic computation compatible with the big-step, as shown in 
Example 01 considering the linearization loadA\;loadB 1; unload Al. 

These are the main differences between static and dynamic SAGAs: among all the computations 
compatible with the static semantics, only some are acceptable for the dynamic semantics, and whether 
a computation is acceptable or not depends on the relation between the order of execution of activities 
and of their compensations and on the interplay between nesting and parallel composition. 

This also explains why we used a small-step semantics for dynamic SAGAs (while classic semantics 
for static SAGAs is big-step): it is difficult to catch the dependencies between the order of execution 
of activities and the order of execution of compensations using big-step semantics. For instance, a rule 
such as (S-PAR) in Table Q] tailored for dynamic SAGAs should require that the interleaving chosen for 
activities in tti\a,2 is the same as the one chosen for their compensations in fi\\p2, and one would need 
to track the correspondence between activities and their compensations. 

Summarizing, the theorems above provide the following insights: 

• the static and the dynamic semantics are strongly related, in the sense that for each static big-step 
there is (at least) one dynamic computation compatible with it, and for each dynamic computation 
there is a compatible big-step; 

• the two semantics are not equivalent, since not all the computations compatible with a big-step are 
valid dynamic computations; 

• in the dynamic semantics the order of execution of compensations depends on the order of execu- 
tion of basic activities, while this is not the case for the static semantics; 

• in the dynamic semantics compensations of subtransactions can be observed only after the abort 
itself has been observed. 

5 Conclusion 

We have presented two semantics for nested SAGAs, a static semantics following the centralized in- 
terruption policy and a dynamic semantics. The two semantics are a non trivial step forward w.r.t. the 
non-nested case presented in the literature (cfr. [3 ] and HH). Even the static semantics is quite different 
from the (static) semantics of nested SAGAs with distributed interruption presented in |6j. The main 
difference relies in the different ways compensations have to be managed in the two cases. Actually, we 
think that the semantics with distributed interruption is realistic only in asynchronous settings since, as 
said in [3], it "includes a "guessing mechanism" that allows branches on the forward flow to compensate 
even before an activity aborts". This forbids for instance an encoding into a lower-level framework such 
as the one in fl4l . A similar behavior occurs also in our static semantics, but only in the case of nested 
transactions. 

As far as future work is concerned, many different proposals of primitives and models for long- 
running transactions have been put forward in the last years, yet a coherent picture of the field is still far. 
Understanding the relationships between the different formalisms is fundamental so to understand which 
of them are best suited to be introduced in real languages. Even restricting our attention to SAGAs, 
the interplay between dynamicity and the different approaches presented in [3] has to be fully analyzed. 
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Also, we are currently working [4] on a static semantics for SAGAs which is distributed but does not 
require the guessing mechanism described above. 
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